ajax proxy: quote URL before passing it to Nginx

2023-08-28 17:57:44 +02:00 · 2023-08-28 17:57:44 +02:00 · bcdac413be
commit bcdac413be
parent 8c9ee91b42
2 changed files with 9 additions and 5 deletions
--- a/umap/tests/test_views.py
+++ b/umap/tests/test_views.py
@ -127,9 +127,9 @@ def test_invalid_proxy_url_should_return_400(client):


 def test_valid_proxy_request_with_x_accel_redirect(client, settings):
-    settings.UMAP_XSENDFILE_HEADER = 'X-Accel-Redirect'
+    settings.UMAP_XSENDFILE_HEADER = "X-Accel-Redirect"
    url = reverse("ajax-proxy")
-    params = {"url": "http://example.org", "ttl": 300}
+    params = {"url": "http://example.org?foo=bar&bar=foo", "ttl": 300}
    headers = {
        "HTTP_X_REQUESTED_WITH": "XMLHttpRequest",
        "HTTP_REFERER": settings.SITE_URL,
@ -137,7 +137,10 @@ def test_valid_proxy_request_with_x_accel_redirect(client, settings):
    response = client.get(url, params, **headers)
    assert response.status_code == 200
    assert "X-Accel-Redirect" in response.headers
-    assert response["X-Accel-Redirect"] == "/proxy/http://example.org"
+    assert (
+        response["X-Accel-Redirect"]
+        == "/proxy/http%3A//example.org%3Ffoo%3Dbar%26bar%3Dfoo"
+    )
    assert "X-Accel-Expires" in response.headers
    assert response["X-Accel-Expires"] == "300"

--- a/umap/views.py
+++ b/umap/views.py
@ -7,6 +7,7 @@ from datetime import date, timedelta
 from http.client import InvalidURL
 from pathlib import Path
 from urllib.error import URLError
+from urllib.parse import quote

 from django.conf import settings
 from django.contrib import messages
@ -346,7 +347,6 @@ def validate_url(request):

 class AjaxProxy(View):
    def get(self, *args, **kwargs):
-        # You should not use this in production (use Nginx or so)
        try:
            url = validate_url(self.request)
        except AssertionError:
@ -357,11 +357,12 @@ class AjaxProxy(View):
            ttl = None
        if getattr(settings, "UMAP_XSENDFILE_HEADER", None):
            response = HttpResponse()
-            response[settings.UMAP_XSENDFILE_HEADER] = f"/proxy/{url}"
+            response[settings.UMAP_XSENDFILE_HEADER] = f"/proxy/{quote(url)}"
            if ttl:
                response["X-Accel-Expires"] = ttl
            return response

+        # You should not use this in production (use Nginx or so)
        headers = {"User-Agent": "uMapProxy +http://wiki.openstreetmap.org/wiki/UMap"}
        request = Request(url, headers=headers)
        opener = build_opener()